Nervous Credit Unions Seek Buffers After DDoS Attacks

Call it a frighteningly mixed message. In the last week of January, the al-Qassam Cyber Fighters who had been claiming the Distributed Denial of Service takedowns of some of the nation’s largest financial institutions, turned their sights on credit unions.

The attacks knocked the $1.5 billion University Federal Credit Union in Austin, Texas, and the $3.8 billion Patelco Federal Credit Union in Pleasanton Calif., both off line, becoming the the first credit union casualties of the present DDoS wave.

At the same time, the Cyber Fighters announced a suspension of its DDoS campaign, citing the removal of a video it had deemed offensive from YouTube. Wrote the Cyber Fighters: “The al-Qassam cyber fighters lauds this positive measure of YouTube and on this basis suspends his operation and plans to give a time to Google and U.S. government to remove the other copies of film as well. During the suspension of Operation Ababil, no attack to U.S. banks would take place by al-Qassam cyber fighters.”

Which raises the big question: what does this suspension mean? And, an even bigger question: what should credit unions do now in regard to beefing up DDoS mitigation capabilities?

Some experts are united in seeing no good news for credit unions in the suspension.

Said Rich Bolstridge, a DDoS expert with Akamai, a Cambridge, Mass.-based Internet traffic company, “We believe the hackers are going back to regroup and develop additional attack capabilities.”

“I don’t think they can be trusted,” said Avivah Litan, a Gartner analyst who tracks DDoS. “Their tactics have been succeeding. They will not give them up. They will be back for more because they are getting what they want.”

As for what they want, some analysts agree that the primary objective appears to be to create uncertainties about the reliability and dependability of the United States’ financial system.

Knock many big banks off line and mission accomplished.

The second objective appears to be to win headlines. Some don’t believe getting the videos removed from YouTube is a significant priority for al-Quassam.

“That is not even possible and they are technically advanced enough to know that,” said Joe Knape, an expert with Caliber Security Partners in Bothell, Wash. Knape’s point is there are enough copies of the video in circulation so that for every version that is erased, another copy will be uploaded. There just is no eliminating all traces of such a video, some experts have warned.

Even if the Cyber Fighters are sincere about the videos and somehow, YouTube erased all copies, Lynn Price, a financial sector strategist with IBM, predicted that “even if the one group stops its attacks, others will pick this up.”

That is because the Cyber Fighters have inflicted pain on some of the planet’s biggest banks and, suggested Price, other groups, perhaps with political motivations or perhaps, simple criminals , will find ways to follow this lead and will use DDoS as a weapon.

“It can become a competition among hackers,” warned Price, meaning villains may brag about who took down the biggest, or most financial institutions for the longest time.

That is not a cheery outlook for credit union IT security, and the news gets worse.

Ken Baylor, a vice president at security research firm NSS Labs in Austin, Texas, and a former vice president of security at Wells Fargo, predicted “The attacks will come back and they will be bigger, ominously pointing out that the attacks have been growing in sophistication. “They have been huge but also very agile,” said Baylor.

The Patelco attack was a case in point. When the credit union’s IT shifted good traffic from one server to another, leaving the DDoS traffic isolated, within a few minutes the attackers re-pointed their DDoS and hit the second server, said Patelco President/CEO Ken Burns.

“They just keep getting better at this,” said Baylor who pointed out that until very recently the attack traffic carried signatures or digital fingerprints that mitigation firms had figured out and they used them to isolate and attempt to contain the DDoS traffic.

The latest rounds from the Cyber Fighters are revolving around packets that lack signatures and, more insidiously, “they are finding ways to interact with the target servers. It looks like legitimate traffic,” said Brian Laing, an executive with AhnLab, an Internet security company in Seoul, South Korea.

For instance, the traffic comes in asking for a password re-set. Multiply that over millions of DDoS packets, all asking for password re-set, which is a server intensive process, and it is easy to see the server succumbing to the attack.

“There is no magic bullet for DDoS,” said Robert Jenkins, CEO of CloudSigma, an operator of a public cloud based in Zurich, Switzerland.

That is the problem and, right now, it is an advantage for DDoS developers because the mitigation companies, by their nature, react to what the DDoS perpetrators do and that gives the criminals an edge.

As for what should credit unions do, IBM’s Price urged a multi-tiered approach involving layers of security to include a rugged firewall, a DDoS mitigation appliance that softs income traffic, and an arrangement for acquiring substantial bandwidth on an as needed basis, frequently from a telco.

Do all that and it is still not a guarantee of being able to dodge DDoS. But, said the experts, these are steps in a safe direction and institutions need to plan now for what to do when DDoS returns.